In 2018, will Canada finally lay out its cyber foreign policy?

Eight years after publishing its first cyber strategy, Canada has yet to develop a more comprehensive policy for guiding its cyber-related activities abroad. Paul Meyer looks to a recently released strategy in Australia for inspiration.

The last (and only) time the government of Canada issued a national cyber security strategy, in October 2010, it included a one-sentence acknowledgment that a cyber foreign policy should be developed, in order to ensure alignment between the government’s cyber activities and its broader foreign policy, international trade and security goals.

If it was already evident eight years ago that the challenges posed by the exploitation of global cyberspace would inevitably require more than simply domestic responses, events since have only reinforced that fact. Be it the magnitude of data theft by cyber intrusion (compromised accounts in the tens of millions are now commonplace) or the rapid growth in state-controlled offensive cyber capabilities (part of a potentially destabilizing “militarization” of cyberspace), the once relatively benign environment of cyberspace is under assault. The impact of the internet, an emblematic universal technology, on every society’s security and prosperity necessarily entails international and concerted action if such action is to be effective.

Canadians, however, are still waiting to learn of the cyber-related foreign policy its government intends to pursue. A five-year action plan to accompany the government’s strategy indicated that a cyber foreign policy was under development by the Department of Foreign Affairs and International Trade (now Global Affairs Canada) and was “on track” for completion by the fall of 2013, yet that deadline was passed long ago with no sign of this product. A September 2017 evaluation of the strategy undertaken by the government only repeated the call for developing such a foreign policy.

If Canada seems paralyzed in its efforts to articulate a foreign policy to guide the nation’s actions relating to cyberspace, Australia has provided a model of what such a foreign policy might look like. In Australia’s International Cyber Engagement Strategy, a document of more than 100 pages released by its Department of Foreign Affairs (DFAT) in October 2017, Canberra has demonstrated what a coherent foreign policy to advance national goals regarding cyberspace might look like. The development of such a cyber foreign policy was announced by Prime Minister Malcolm Turnbull in April 2016. In that same statement, Turnbull also announced the appointment of an ambassador for cyber affairs at DFAT, to be tasked with the development of the foreign policy. This senior appointment and the prompt development of the foreign policy attest to the priority attached to this realm by the Australian government and its determination to be a shaper and not simply a receiver of global cyber policy.

There is no simple explanation for why Canada has lagged so far behind Australia in devising a more comprehensive and robust cyber strategy. Clearly the decision by the Australian government in 2011 to put responsibility for cyber in the Department of the Prime Minister has given it a higher profile and priority within the public administration. The stronger resonance that international security issues seem to have for Australia may explain why its national security establishment was quicker to recognize the growing threat of cyber attack and to be more proactive in fashioning responses to it. There is also, within DFAT there, a capacity to produce serious foreign policy documents supported by targeted diplomatic action that seems beyond the current reach of a diminished and distracted foreign ministry in Canada.

One can only hope that the Australian example will prompt Ottawa to issue a fuller and updated cyber strategy in both its national and global dimensions. Under an overarching commitment to safeguard “a peaceful online environment,” Australia’s policy document sets out a “a whole-of-government approach across seven key themes: Digital Trade, Cyber Security, Cybercrime, International Security, Internet Governance & Cooperation, Human Rights & Democracy Online and Technology for Development.” For each of these themes the strategy provides an analysis of the subject field, identifies objectives and suggests a course of action for Australia to pursue in the international arena to advance these aims.

Throughout the strategy document there is an emphasis on both a coherent national effort and the importance of working with international partners to achieve regional and global cyber objectives. There is a clear-eyed recognition of cyber threats originating with state and non-state actors alike, coupled with an affirmation of the potential for international cooperation to sustain “a peaceful and stable cyberspace.”

In Australia’s view, the international community has made good progress “in delineating the boundaries of what is and isn’t acceptable behaviour by states in cyberspace.” But, the document notes, some states “are testing, and even crossing, those boundaries.” In response, Australia will “undertake diplomatic action to support an international cooperative architecture that promotes stability, and responds to and deters unacceptable behaviour in cyberspace.”

In its approach to internet governance, Australia stresses its support for a “multi-stakeholder” model that underpins the free and open nature of the internet by including private sector and civil society representatives in the discussion of global governance. However, it notes that such a model cannot be taken for granted, and warns that “as the strategic importance of cyberspace increases, so too will strategic competition over its future development.”

The implementation of the Australia’s international cyber strategy is to be overseen by Tobias Feakin, the newly-appointed ambassador for cyber affairs, who will convene a whole-of-government working group meeting quarterly to monitor progress. As the ultimate effectiveness of an official strategy is often a function of the resources assigned to its implementation, it is notable that DFAT was granted a further $10 million over three years to an existing allocation of $4 million to carry forward the strategy.

Perhaps the government of Canada could make a new year’s resolution, inspired by the achievements of our Australian friends, to finally produce a cyber foreign policy statement this year to guide our international conduct. It is 2018, after all.